How it works
Frethem.k arrives as an e-mail message similar to that used with Frethem.e: The subject line reads "Re: Your password!" and the body text reads:
You can access
DO NOT SAVE
password to disk
use your mind
The attached file is either decrypt-password.exe (48K) or password.txt (93K).
When opened, the password.txt file contains the message: "Your password is W8dqwq8q918213."
Frethem.k copies itself to the following directory:
The worm then adds Taskbar.exe to the Windows directory and changes the following Registry entry:
Hkey_current_user \Software\Microsoft\Windows \CurrentVersion\RunTask Bar = Windows\taskbar.exe
To use the infected system's default SMTP engine, Frethem looks for the existence of this Registry item:
Hkey_current_user\Software\Microsoft\Internet Account Manager\Accounts\00000001
If account 0000001 does not exist, the worm will not spread. The worm looks in WAB, MBX, EML, and MDB files to cull available addresses to which it sends infected copies of itself. Frethem.k also connects to a series of hard-coded Web addresses, perhaps to earn credit for the number of hits generated.
Users of Microsoft Outlook 2002 and users of Outlook 2000 who have installed the Security Update should be safe from the attached EXE and TXT files used by Frethem. The worm uses the Internet Explorer vulnerabilities that automatically execute the worm upon receipt. Fortunately, both the MIME header and IFRAME vulnerabilities have been fixed by Microsoft in MS01-020; if you have not installed this patch, you are urged to do so now. Users who have not upgraded to Outlook 2002 or who have not installed the Security Update for Outlook 2000 should do so. In general, do not open attached files in e-mail without first saving them to hard disk and scanning them with updated antivirus software. Contact your antivirus vendor to obtain the most current antivirus signature files that include Frethem.k.
Several antivirus-software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Computer Associates, F-Secure, McAfee, Norman, Sophos, Symantec, and Trend Micro.